April 29, 2011

Tracking Do Not Track at Morris + King

A bit of Context
Obviously, this diagram is a little cynical (courtesy of Chinagrrrl), but not too far off from how we manage personal data online today. But there are a lot of proposals on the table to fix this dilemma. One is Do Not Track which industry sees as something they can self-impose on an *opt-in* basis (for themselves) and opt-out (for the users) and self-regulate by having advertising trade org.s monitor compliance, with the FTC stepping in as necessary. There are also a number of DNT bills introduced in Congress and various hearings on tracking where the FTC would regulate implementation. And Johns Kerry and McCain have introduce a Rights and Responsibilities proposal in the Senate, that instead of Do Not Track (Kerry's LA, Danny Sepulveda told me DNT is a waste of time) suggest ways that data collectors would have to be responsible with our data. However, that bill lets 3rd party marketing, data tracking and Facebook's privacy bending ways totally off the hook. Both of these plans / legislative initiatives completely ignore the more than 40 startups and companies building for the Personal Data Ecosystem where users would collect their own data, and make use of the value, which the World Economic Forum recently said was "a new asset class".

That said, the rest of this post describes the Tracking DNT panel at Morris + King the other night.

Tracking Do Not Track
Tuesday night I was on a panel at Morris + King, an PR firm in NYC, called Tracking Do Not Track. Our hosts: Andy Morris and Dawn Barber (who co-founded NY Tech Meetup with Scott Heifferman) were very good about putting together a diverse group of people to talk about Do Not Track and the various issues with personal data and the advertising industry that have so many talking these days. My guesstimate was that about 100 people attended, mostly from industry (tech & advertising).

Our group included:
Brian Morrisey (Editor in Chief of Digiday, an ad industry trade publication) as Moderator
David Norris (CEO of Blue Cava)
Dan Jaffe (Exec VP, Govt Relations for the Assoc of National Advertisers - ANA)Helen Nissenbaum, Professor, Media, Culture & Communication at New York University
and me: Chair of the Personal Data Ecosystem Consortium

We started off with Brian's question: who are you, what do you do in a nutshell, and what do you think of the state of online privacy these days?

I was first.. and gave a quick explanation of PDEC which is to say that we offer a middle way between Do Not Track (DNT) and what is going on now online (Business as Usual). Our middle way offers a market solution to users' wanting control of their data, and the tracking and digital dossier building by shadowy companies to stop..we don't believe DNT will work and don't support it, though we do see that some kind of "Rights and Responsibilities" legislation would help create a level playing field for any company that collects personal data. Those rights and responsibilities for personal data collectors needs to include giving user's a copy of their data, so they can then put them into personal data stores (or banks, lockers, etc) and then use the data as the person sees fit.

Oh, and I said the state of online privacy was pretty dismal, though I was optimistic because it feels like this year, it's actually possible to get personal data some basic protections similar to HIPPA or FCRA where user's can get their data, and we can make the Personal Data Ecosystem emerge as a market solution that finally works for people. Granted, it's a 5-7 year proposition to really create a new market, but we can actually start this year because of the 40 or so startups that are funded and building pieces of the PDE and the push in the US Government to do something about the dismalness of online privacy.

Helen Nissenbaum, whom I've admired for years for her thoughtful approach to privacy and usability, agreed that privacy online was pretty bad, and explained her work around Adnostic, a "privacy preserving targeted advertising" system made with some Stanford folks.

By far, the best comment Helen made all night was that tracking and aggregating data that pivots on people is not ethical, that it's bad for people and for the incremental 1% improvement we might see in targeted advertising, it's not worth the incredible intrusiveness of tracking. In particular she said, "Anonymization does not change intrusiveness."

Dan Jaffe spoke next, and surprise, agreed that online privacy is not good, but talked about how publishers need to support their businesses and that behavioral advertising is helping them do it, and that Do Not Track should be self-regulated by the industry because they know their business best. And government has a tendency to screw up regulations and therefore, we should let advertisers figure out what works.

Next up was David Norris, who agreed with my use of the word, "dismal" to describe online privacy and said that Blue Cava was supporting a self-regulatory model because they didn't feel that Do Not Track as proposed for legislation was a good idea.

We chatted about the viability of Do Not Track, and with Norris, Jaffe and me all agreeing it wasn't a good idea. However Jaffe said he didn't like the idea of any regulation, that the industry could do it themselves, and that my "data rights and responsibilities" support for legislation would be just as bad for data collectors.

Folks in the audience, like Esther Dyson, pushed back on Jaffe, saying that she wanted the ability to choose where and when her data was out at some vendors site, and that's why, she said, "I'm supporting Mary and her organization" because it's a market model that gave her choice.

I was very pleased to hear her endorse us (thank you Esther!)

In the end, I think we got our message out which is that tracking individuals is a bad thing, that users should be the only ones tracking themselves across sites, but that sites can track within the site to optimize business. And that users should have a marketplace to trade data, like they do in mileage accounts, and choose when they trade, as partners, and not have it done for them in secret as is the case now. And that we want to see users data protected with a basic set of rights, like Health, Education and Financial data currently is now.

Curiously, Dan Jaffe made a comment about HIPPA, the health data protection law, suggesting that users get their health data so maybe they could get their personal data too. Given that that is a law, and he was opposed to regulation of any sort otherwise, I wasn't sure what to make of this.

However, I was really pleased with the opportunity to talk about PDEC, the startups and tech efforts to create a personal data ecosystem, and to provide a different view than the usual support for Do Not Track as we try to figure out what is best for our society.